Ordered Computer Vulnerability Remediation Reporting

ABSTRACT

Techniques for ranking a set of vulnerabilities of a computing asset and set of remediations for a computing asset, and determining a risk score for one or more computing assets are provided. In one technique, vulnerabilities of computing assets in a customer network are received at a vulnerability intelligence platform. Breach data indicating set of breaches that occurred outside customer network is also received. A subset of the set of vulnerabilities that are most vulnerable to a breach is identified based on the breach data. In another technique, multiple vulnerabilities of a computing asset are determined. A risk score is generated for the computing asset based on the vulnerabilities. In another technique, multiple remediations associated with a risk score and multiple vulnerabilities are identified. The remediations are ordered based on the remediations that would reduce the risk score the most if those remediations were applied to remove the corresponding vulnerabilities.

PRIORITY AND CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims benefit under 35 U.S.C. §120 as a Continuationof application Ser. No. 14/181,415, filed on Feb. 14, 2014, which isrelated to U.S. patent application Ser. No. 14/181,352 and U.S. patentapplication Ser. No. 14/181,382, both of which are filed the same day asapplication Ser. No. 14/181,415, and the entire contents of each ofwhich are hereby incorporated by reference for all purposes as if fullyset forth herein.

TECHNICAL FIELD

The present disclosure generally relates to providing informationtechnology (IT) security risk information. The disclosure relates morespecifically to techniques for correlating IT security risks fromvarious security risk sources.

BACKGROUND

The approaches described in this section are approaches that could bepursued, but not necessarily approaches that have been previouslyconceived or pursued. Therefore, unless otherwise indicated, it shouldnot be assumed that any of the approaches described in this sectionqualify as prior art merely by virtue of their inclusion in thissection.

The number of attacks on various IT assets of an enterprise hasincreased tremendously. The rise in attacks has led to creation andadoption of numerous tools to perform IT security vulnerabilityassessments. Each security vulnerability assessment tool tends to differfrom other security vulnerability assessment tools in that each toolprovides one or two features that other security vulnerabilityassessment tools do not provide. Therefore, it is quite common for anenterprise to use a plurality of security vulnerability assessment toolsin assessing security vulnerabilities of their IT assets. In addition,many enterprises also hire third party auditors to audit theenterprise's IT assets. In fact, certain industries, such as thefinancial services healthcare industries, are required to have their ITassets periodically audited by third party IT auditors.

The result of using numerous tools and auditing firms to assessvulnerabilities of IT assets is the generation of large amount of data.Once the tools and the auditing firms produce the vulnerability data,the enterprise's IT security team must use the data to reduce each ITasset's risk of being successfully attacked. Unfortunately, the datagenerated by the tools and the auditors fail to provide the enterprise'sIT security team with the necessary information to efficiently andeffectively prioritize their task of reducing security risk to theenterprise's IT assets.

Therefore, more often than not, the enterprise's IT security team spendsadditional resources and incurs further costs in analyzing the datagenerated by the security vulnerability assessment tools and IT auditorsin order to distinguish between the more critical IT security risks andthe less critical ones. Furthermore, due to the inherent inaccuracy andinherent lack of information regarding the likelihood of a successfulattack on an IT asset in the generated data, the enterprise's ITsecurity team's further efforts fail to satisfactorily defend againstthe most likely and potentially successful attacks on the enterprise'sIT assets. This problem is further exacerbated as the number of ITassets utilized by an enterprise grows at a rapid pace because theamount of vulnerability data generated by numerous securityvulnerability tools and IT auditors would consequently grow at asignificantly faster pace.

BRIEF DESCRIPTION OF THE DRAWINGS

In the drawings:

FIG. 1 illustrates an example arrangement of providing customer with ITsecurity risk information.

FIG. 2 illustrates functional logic of an embodiment as implemented inan application server coupled to a data storage unit.

FIG. 3 illustrates a method of identifying vulnerabilities based onbreach data.

FIG. 4 illustrates an example arrangement of a graphical user interfacefor presenting risk information related to computing assets of acustomer.

FIG. 5 illustrates a method of generating a risk score based on one ormore vulnerabilities of a computing asset.

FIGS. 6A-6B are block diagrams that depict an example arrangement of agraphical user interface of a dashboard.

FIG. 7 illustrates a method of prioritizing a set of remediations.

FIG. 8 illustrates a computer system upon which an embodiment may beimplemented.

DESCRIPTION OF EXAMPLE EMBODIMENTS

In the following description, for the purposes of explanation, numerousspecific details are set forth in order to provide a thoroughunderstanding of the present disclosure. It will be apparent, however,to one skilled in the art that the present disclosure may be practicedwithout these specific details. In other instances, well-knownstructures and devices are shown in block diagram form in order to avoidunnecessarily obscuring the present disclosure.

Embodiments are described herein according to the following outline:

-   -   1.0 Overview    -   2.0 Structural and Functional Overview    -   3.0 Correlating Vulnerability Data With Breach Data    -   4.0 Risk Meter    -   5.0 Remediation List    -   6.0 Implementation Mechanisms—Hardware Overview    -   7.0 Extensions and Alternatives

1.0 Overview

In an embodiment, a method is described for identifying vulnerabilitiesthat are most vulnerable to a breach. In an embodiment, vulnerabilitydata that indicates a set of vulnerabilities of computing assets in acustomer network are received at, for example, an application server.Breach data that indicates a set of breaches that occurred outside thecustomer network are received at the application server. A subset of theset of vulnerabilities that are most vulnerable to the breach areidentified, based on the breach data. Result data that identifies thesubset of the set of vulnerabilities that are most vulnerable to abreach is displayed on the device.

In an embodiment, a plurality of vulnerabilities of a computing assetare determined. A risk score for the computing asset is generated basedon the plurality of vulnerabilities. A graphic that represents the riskscore may be displayed and, in response to user selection, causeinformation about a subset of the vulnerabilities to be displayed.

In an embodiment, a set of remediations associated with a risk score anda set of vulnerabilities are identified. A remediation may be anysolution to resolve a vulnerability of a computing asset. An amount bywhich the risk score would be reduced is determined for each remediationin the set of remediations, if the remediation is applied to acorresponding vulnerability in the set of vulnerabilities. The set ofremediations are ordered based on the amount determined for eachremediation in the set of remediations.

Embodiments encompass a data processing system, a computer apparatus, ora computer-readable medium configured to carry out the foregoing steps.

2.0 Structural and Functional Overview

Certain embodiments are configured to help reduce or eliminate costsassociated with vulnerability data that fail to provide informationregarding the likelihood of a successful attack on a computing asset. Asdescribed herein, a computing asset may be any technology that enablesor performs computations, such as, a programming language, source code,a software application, a database, an operating system, a desktopcomputer, a server, or a hardware computing or communication device.

In an embodiment, by utilizing breach data, sourced from across theinternet, and correlating that data with vulnerabilities discovered incomputing assets in a customer network, vulnerability data of anenterprise's IT security team may be generated that includes informationregarding the likelihood that an exploit of a particular vulnerabilityof a particular asset will be successful.

For purposes of illustrating a clear example, assume that a businessorganization owns numerous computing assets and uses several securityvulnerability assessment tools to detect vulnerabilities in thecomputing assets. Additionally, the computing assets are periodicallyaudited by IT auditors. The data gathered and presented by theassessment tools and the IT auditors may inform the businessorganization of the vulnerabilities of their computing assets; however,the business organization has no information upon which it can rely onto effectively and efficiently determine which of the vulnerabilitiespose the most significant threat to the organization and address thevulnerabilities accordingly. Therefore, the business organization muststill expend additional time and financial and human resources indetermining the vulnerabilities that are most likely to allow for abreach of a computing asset to occur. In order to accurately prioritizetheir approach to reducing risks to the assets the business organizationmust still be able to determine information about the risks to an assetrather than just information about vulnerabilities, and in order toeffective and efficiently resolve vulnerabilities of computing assets,it would be a tremendous asset to have an ordered list of remediationswhere the first remediation will successfully reduce the risk of acomputing asset the most.

In an embodiment, a vulnerability threat management platform requestsdata about breaches, exploits, vulnerabilities of computing assets fromvarious data sources such as Alien Vault's Open Threat Exchange, RiskDB,the National Vulnerability Database, the Web Applications SecurityConsortium (WASC), the Exploit Database, SHODAN, and the MetasploitProject. As referred to herein, a breach is a successful exploit. Thatis, a breach is a successful attack on a computing asset by successfullyexploiting a vulnerability of the computing asset.

The vulnerability threat management platform may also request or beprovided with data from one or more customers, comprising of informationof vulnerabilities associated with each customer's computing assets. Thevulnerability threat management platform may then, for each customer,correlate each vulnerability of the customer's computing asset to allbreaches of the vulnerability. For each customer, the vulnerabilitythreat management platform may then provide a ranked or ordered list ofvulnerabilities which represent the order in which the vulnerabilitiesshould be addressed, such that the vulnerability that poses the mostsignificant threat is addressed first and the one that poses the leastsignificant threat is addressed last.

In some embodiments, the vulnerability threat management platform mayprovide a quantified measure, known as a risk score herein, to indicatehow vulnerable a particular asset may be of being successfully exploitedor breached. The risk score may be a numerical value in a range ofnumerical values. For example, the risk score may represent a valuebetween 0 and 1000, where the higher the number, the more at risk thatparticular computing asset or group of assets is of being successfullyexploited or breached.

A risk score for a vulnerability or a computing asset may not only bebased on a likelihood of a breach occurring with respect to thatvulnerability or asset, but also based on how important the impact of avulnerability exploit or asset is. For example, a computing asset mayhave two vulnerabilities, each of which have the same likelihood ofbeing breached. However, one of the two vulnerabilities, if breached,results in sensitive financial information being accessible tounscrupulous users while the other vulnerability, if breached, resultsin the ability by unscrupulous users to merely post an innocuousmessage.

The vulnerability threat management platform may provide a risk scorefor each computing asset and/or a group of computing assets.

In some embodiments, the risk score may be determined by considering allvulnerabilities a particular asset may have. Thus, rather than simplyhaving information about a list of vulnerabilities, the customer has anordered list of at-risk computing assets such that the customer may noweasily know which computing asset or vulnerability the customer shouldattempt to address first.

In some embodiments, the Vulnerability threat management platform alsoprovides an ordered list of remediations, which can be used to resolveone or more vulnerabilities of one or more computing assets. Forexample, a particular computing asset may have a number ofvulnerabilities, and a particular remediation may address one or more ofthe vulnerabilities of computing asset. The application of theremediation will reduce the computing asset's risk score, whereapplication or utilization of the first remediation on the list willmost significantly reduce the risk score of the asset, and applicationor utilization of the last remediation on the list will leastsignificantly reduce the risk score of the asset. Thus, the customer maynow completely eliminate the additional costs associated with searchingfor a solution for a particular vulnerability and/or determining whichof the available solutions will most significantly reduce the computingasset's risk score.

The foregoing approaches, structures and functions are described furtherherein in connection with FIG. 1 and the other drawings. A data storageunit, in this context, may be any electronic digital data recordingdevice configured to store data according to a set of rules and in anyformat, such as a flat file, a database, a data mart, a data warehouseor other storage units. A data source, in this context, may be anyelectronic digital data storage unit capable of providing data to arequesting entity at a frequency of a particular time interval oron-demand.

FIG. 1 illustrates an example arrangement of assessing one or morecomputing assets' risk of being breached using external threat data andvulnerabilities of the one or more computing assets. As describedherein, threat data may refer to any information related to security orrisks posed by one or more vulnerabilities of a computing asset.

FIG. 1 depicts a networked computer system that includes a vulnerabilitythreat management platform 115, a plurality of data sources 101, 102,103, a data storage unit 112, and a plurality of customers 104 a, 104 b,104 c.

In this example, data sources 101, 102, 103 publish or provideparticular threat-related data. Sources 101-103 may publish thethread-related data at a particular time interval. For instance, datasource 101 may publish or provide vulnerability related data 106 everyhour, data source 102 may publish or provide exploit related data 107every half hour, and data source 103 may also publish or provide breachrelated data 108 every 45 minutes. Thus, the frequency at which datasources 101, 102, 103 publish or provide information may be independentof each other.

In some embodiments, vulnerability threat management platform 115requests data 106, 107, 108 at the particular time intervals that theybecome available. In some embodiments, data sources 101, 102, 103 maydirectly send data 106, 107, 108, respectively, to vulnerability threatmanagement platform 115 at the time such data becomes available.

Customers 104 a, 104 b, 104 c provide, to vulnerability threatmanagement platform 115, vulnerability data that indicatesvulnerabilities of their computing assets, 109, 110, 111, respectively.Additionally, customers 104 a, 104 b, 104 c, may provide contextualinformation related to a particular computing asset, such as a relativeimportance of the particular computing asset. For example, oneparticular computing asset of a customer may be absolutely critical forthe customer to carry out its day-to-day operations. Therefore, thecustomer may indicate that the particular computing asset is the mostimportant of its computing assets. As another example, all computingassets that a customer “tags” as important may be considered equallyimportant while all other non-tagged computing assets may be treated asequally less important (at least relative to the tagged assets).

In an embodiment, vulnerability threat management platform 115 is hostedby a customer and, thus, interaction with other customers 104 a-104 c isnot necessary. In other words, vulnerability data 109-111 may not berelevant since the customer may implement Vulnerability threatmanagement platform 115 only for its own benefit.

In an embodiment, vulnerability threat management platform 115 is hostedon an application server computer capable of executing procedures, suchas programs, routines, scripts or other computer executable commands,necessary for supporting the vulnerability intelligence platform. Anexample of a Vulnerability threat management platform is VulnerabilityThreat Monitoring and Prioritization Platform, commercially availablefrom Risk I/O, Incorporated, Chicago, Ill. In FIG. 1 Vulnerabilitythreat management platform 115 is coupled with data storage unit 112. Insome embodiments, data storage unit 112 may store contextual informationrelated to customers using Vulnerability threat management platform 115.

FIG. 2 illustrates functional logic of an embodiment of a vulnerabilitythreat management platform implemented on an application server computercoupled with a data storage unit. In an embodiment, the applicationserver computer comprises of at least one instance of vulnerabilitythreat management platform 115. Vulnerability threat management platform115 may include or may be coupled to an HTTP server and may beconfigured to serve HTML documents that browser programs at thecustomers 104 a-104 c can receive, render, and display.

In an embodiment, vulnerability threat management platform 115 includesa threat data unit 201. In an embodiment, threat data unit 201 may becoupled to the data storage unit 112. Threat data unit 201 receivesvulnerability data 106, exploit data 107, and breach data 108 and storesthem in storage unit 112. In an embodiment, vulnerability, exploit, andbreach data received at threat data unit 201 may be stored in storageunit 112 according to vulnerability identifier, such as a CVE-ID or aWASC ID. In an embodiment, threat data unit 201 may be configured tofetch data from various vulnerability, exploit and breach data sourcesat a defined time interval. The time interval defined to fetch data maydepend upon the frequency at which the data sources make the dataavailable. For example, if a vulnerability, exploit, and breach datasources make data available at every hour, forty five minutes, andthirty minutes respectively, then vulnerability and breach data unit 201may be configured to fetch data from vulnerability data source everyhour, exploit data source every forty five minutes, and breach datasource at every thirty minutes.

In an embodiment, vulnerability threat management platform 115 includesa customer data unit 202. Customer data unit 202 is configured toreceive vulnerability data 109, 110, 111, from customers. In anembodiment, customer data unit 202 may be coupled to storage unit 112and may be configured to store vulnerability data received fromcustomers in storage unit 112. Customer data unit 202 may also beconfigured to receive data related to customer preferences and storethat data in storage unit 112. For example, customers may send datarelated to importance of one computing asset relative to other computingassets, or information related to grouping of particular computingassets.

In an embodiment, vulnerability threat management platform 115 includesa risk assessment unit 203. Risk assessment unit 203 may be coupled tothreat data unit 201, customer data unit 202, contextual data unit 204,display unit 205, and storage unit 112. Risk assessment unit 203 may beconfigured to determine rank or order of vulnerabilities of customer'scomputing assets or group of computing assets. Risk assessment unit 203may also be configured to determine a risk score for a computing assetor group of computing assets, and may also be configured to determine aranked or ordered list of remediations for a computing asset or a groupof computing assets.

In an embodiment, risk assessment unit 203 ranks or orders a list ofvulnerabilities of a computing asset based on successful active breachesof the particular vulnerability. Risk assessment unit 203 may determinethe number successful active breaches of a particular vulnerabilitybased on the breach data 108 stored in storage unit 112. In anembodiment, risk assessment unit 203 ranks or orders the list ofvulnerabilities based on the number of exploits available for eachvulnerability in addition to a number of active breaches of a particularvulnerability. In an embodiment, risk assessment unit 203 determines thenumber of exploits based on exploit data 107. Risk assessment unit 203may also rank or order the list of vulnerabilities based on the CVSSscore of a vulnerability in addition to the number of breaches of aparticular vulnerability.

Risk assessment unit 203 may store the ranked or ordered list ofvulnerabilities in storage unit 112.

Risk assessment unit 203 may also determine a risk score for a computingasset or a group of computing assets based on the contextual data, ofthe computing asset or group of computing assets, provided fromcontextual data unit 204.

In an embodiment, contextual data unit 204 selects contextual factorsrelevant to the computing asset and/or the customer that owns thecomputing asset from storage unit 112 and provides the contextualfactors to risk assessment unit 203. In an embodiment, risk assessmentunit 203 stores the risk score in storage unit 112. Using contextualfactors from contextual data unit 204, risk assessment unit 203 adjuststhe risk score of a computing asset or a group of computing assets suchthat the risk score reflects qualitative factors, such as importance ofa computing asset (or group of computing assets) to the customer, or acomputing asset's popularity across the Internet.

In an embodiment, risk assessment unit 203 ranks or orders a list ofremediations to address the vulnerabilities of a computing asset or agroup of computing assets. Risk assessment unit 203 determines the rankor order of the list of remediations for vulnerabilities based on theimpact of each particular remediation on a risk score of a computingasset or a group of computing assets. Risk assessment unit 203 may storethe ranked or ordered list of remediations in storage unit 112.

In an embodiment, risk assessment unit 203 determines the impact of aparticular remediation on a risk score based on the number ofvulnerabilities the particular remediation resolves. Risk assessmentunit 203 may also rank or order a list of remediations based on ease ofimplementation or application of a particular remediation. Therefore, acustomer that is presented with the list of remediations may beconfident to rely on the list for the easiest remediations that have thelargest impact on reducing the risk posed by vulnerabilities of acomputing asset.

In an embodiment, after ranking or ordering vulnerabilities, a list ofremediations, and/or determining one or more risk scores, riskassessment unit 203 provides such data to display unit 205. Display unit205 may be configured to cause data 120-122 to be displayed tocustomers. In an embodiment, display unit 205 alters its presentation ofdata to customers from a default presentation, based on customerpreferences for data presentation.

As noted previously, vulnerability threat management platform 115 may beimplemented by a customer only for its benefit. Thus, there would be noother customers 104 a-104 c involved. Furthermore, result data 120-122would not be generated for any other customers.

3.0 Correlating Vulnerability Data with Breach Data

Vulnerability threat management platform 115 analyzes the vulnerabilitydata of computing assets of customers 104 a-104 c, against threat datafrom various sources, such as data sources 101-103, and provides resultdata 120-122 to customers 104 a-104 c, respectively. Result data 120-122includes information related to risks that the corresponding customerfaces because of the vulnerabilities of the corresponding customer'scomputing assets. The result data may identify one or more of the mostimportant vulnerabilities of a customer (based on breach data associatedwith the vulnerabilities). For example, the top five vulnerabilitieswith the highest number of breaches (or the vulnerabilities that areassociated with at least a threshold number of breaches) in a mostrecent time interval are identified and information about thosevulnerabilities are provided in the result data. Result data for aparticular customer may be provided automatically to that customer ormay be provided to the customer upon request.

In an embodiment, the information related to risks posed by thevulnerabilities may be presented as a ranked or ordered list ofvulnerabilities, where the first vulnerability on the ranked or orderedlist indicates the vulnerability that will most likely be exploited. Inan embodiment, vulnerability threat management platform 115 ranks ororders the list of vulnerabilities based off the number of breaches of aparticular vulnerability. For example, the number of breaches ofvulnerability CVE-2014-0001 is 5 and number of breaches of vulnerabilityCVE-2014-0002 is 7. Vulnerability threat management platform 115 maydetermine that CVE-2014-0002 is more likely to be exploited and rankCVE-2014-0002 higher than CVE-2014-0001.

As described earlier, a breach is a successful exploit. Relying uponbreach data to determine and predict the vulnerability that is mostlikely to be exploited, and thus pose the most serious risk to thecomputing asset, is more accurate and reliable than relying upon threatdata comprising only of existing exploits of a vulnerability or a CommonVulnerability Scoring System (CVSS) score of a vulnerability.Additionally, reliance only upon existence of an exploit of avulnerability and/or CVSS score of vulnerability, often providesincomplete and thus misleading information about the significance of therisk posed by the vulnerability to the computing asset. For example, itis possible to have a vulnerability with a high CVSS score, indicatingthat it is a critical vulnerability. However, no recent successfulexploits, or breaches, of the vulnerability may have occurred.Therefore, while the vulnerability may be critical according to its CVSSscore, it does not pose a significant threat to the computing assetsince it is unlikely to be breached.

In an embodiment, vulnerability threat management platform 115 rank ororders the list of vulnerabilities based on a number of exploitsavailable for each vulnerability in addition to a number of breaches ofeach vulnerability. In an embodiment, exploit data 107 includes avulnerability identifier to indicate a particular vulnerability and anumber of exploits for each vulnerability. Vulnerability threatmanagement platform 115 may determine the number of exploits for eachvulnerability based on the vulnerability identifier. Vulnerabilitythreat management platform 115 may also rank or order the list ofvulnerabilities based on the CVSS score of a vulnerability in additionto the number of breaches of a particular vulnerability.

Furthermore, since vulnerability threat management platform 115 mayeither fetch breach data at a particular time interval or receive breachdata at a particular time interval, vulnerability threat managementplatform 115 may periodically analyze vulnerabilities of each customeragainst the freshly fetched or received breach data. In an embodiment, acustomer's vulnerabilities may be analyzed in a similar frequency as thefrequency at which breach data is fetched or received, therebyproviding, in near real-time, reassessment of the customer'svulnerabilities.

FIG. 3 illustrates an example method for identifying a subset ofvulnerabilities from a set of vulnerabilities that are most vulnerableto a breach based on breach data. In an embodiment, the operationsdescribed for FIG. 3 may be performed by vulnerability threat managementplatform 115 of FIG. 1 or FIG. 2, but other embodiments may implementthe same functions in other contexts using other computing devices.

In step 310, vulnerability data that indicates a set of vulnerabilitiesof computing assets in a customer network is received from a firstsource. In an embodiment, the first source may be a customer. In anembodiment, the vulnerability data received from the first source mayinclude, for each vulnerability, the vulnerability identifier, such as aCVE-ID or WASC ID.

In step 320, breach data that indicates a set of breaches that occurredoutside of the customer network is received from a second source. Breachdata may indicate a frequency with which each breach in the set ofbreaches occurred outside the customer network. For example, forvulnerability V1, the breach data may indicate 89 in the last 30 minuteswhile for vulnerability V2, the breach data may indicate 23 in the last30 minutes. In some embodiments, the second source may be an externaldata source that provides a breach data feed at a periodic timeinterval. In some embodiments breach data may be received from more thanone source, where the other sources are different from the first orsecond sources.

In step 330, a subset of the set vulnerabilities that are mostvulnerable to a breach are identified based on the breach data received.In an embodiment, the identification of the subset of vulnerabilitiesthat are most vulnerable to a breach is based on matching vulnerabilityidentifiers of the set of vulnerabilities with vulnerability identifiersin the breach data. In an embodiment, the identified subset ofvulnerabilities is ranked based on the number of times a vulnerabilityin the subset of vulnerabilities has been breached. In an embodiment, asubset of the set vulnerabilities that are most vulnerable to a breachare identified based on the breach data received and the number ofexploits available for each vulnerability indicated in the exploit datareceived. In an embodiment, a subset of the set vulnerabilities that aremost vulnerable to a breach are identified based on the breach datareceived and the CVSS score of a vulnerability included in thevulnerability data received.

In step 340, result data that identifies the subset of vulnerabilitiesis caused to be displayed on the screen of a computing device. In anembodiment, the subset of vulnerabilities that are displayed on thescreen of a computing device is a ranked or ordered subset ofvulnerabilities. In an embodiment, each computing asset of the computingassets in the customers network is one of a database, an operatingsystem, an application, a desktop computer, a mobile computer, a server,or source code.

4.0 Risk Score

In an embodiment, the information related to risks posed by thevulnerabilities may be presented as a risk score. As describedpreviously, a risk score may be a numerical value in a range ofnumerical values, such as between 0 and 1000, and indicates howvulnerable a particular asset may be of being successfully exploited orbreached.

In an embodiment, vulnerability threat management platform 115determines a risk score based upon several contextual factors,including, but not limited to, a number of active breaches of each ofthe vulnerabilities of the computing asset, the prevalence (or number)of available exploits for each vulnerability, popularity of thecomputing asset or how widely the computing asset is used in thecustomer's industry or across all industries, difficulty of exploitingthe vulnerability, and importance of the computing asset to thecustomer.

In some embodiments, the risk score of a computing asset may reflect therisk posed by the most vulnerable vulnerability of the computing asset'svulnerabilities. In other words, the vulnerability that is most likelyat risk of being successfully exploited or breached may represent therisk score of the computing asset instead of simply being, for example,an average of multiple risk scores associated with vulnerabilities ofthe computing asset.

The risk score of a computing asset may be provided to a customer uponreceiving a request from the customer for a risk score of the computingasset. In some embodiments, the risk score of a computing asset may beforwarded to the customer once analysis of the computing asset'svulnerabilities is completed and the computing asset's risk score isdetermined.

In an embodiment, vulnerability threat management platform 115 providesa risk score for a computing asset or a group of computing assets.Vulnerability threat management platform 115 may determine multiplecomputing assets to be grouped based on customer input. For example,some of the computing assets of a financial services company areresponsible for maintaining and storing sensitive personal informationof customers of the financial services company. Determining the risk ofthese computing assets being breached may be very important to thefinancial services company or even required of the financial servicescompany. Therefore, the financial services company may request a riskassessment of a group comprising of the particular assets responsiblefor maintaining and storing sensitive personal information.Vulnerability threat management platform 115 may then provide a riskscore representing the group's risk of being breached.

There is no limit on the manner in which computing assets may be groupedtogether. For example, computing assets may be grouped together based ongeographical location of computing assets, on the type of computingassets, on the subnet of computing assets, or on input from a customer(e.g., 104 a).

In some embodiments, the risk score of a group of computing assets maybe an average of the risk scores of the computing assets. In someembodiments, the risk score of a group of computing assets may bedetermined using a more complex method than an average of risk scores.Alternatively, a risk score of a group of computing assets may be thehighest risk score of any individual computing asset in the group ofcomputing assets.

Vulnerability threat management platform 115 may also store informationenabling a future grouping of the particular assets indicated in storageunit 112 such that vulnerability threat management platform 115 mayretrieve the information in order to group the particular assets anddetermine a risk score the next time the customer requests for a riskassessment of the group of computing assets.

In some embodiments, a range of colors may also be presented, inaddition to the risk score, to indicate the criticality of the riskscore to the customer. For example, if the risk score indicates that theparticular computing asset is at a high risk of being breached, then therisk score may be encompassed within a ring of red color or the riskscore itself may be presented in red color or it may be a combination ofboth, a ring of red color encompassing a risk score in red color. Aparticular color may represent a range of risk scores such that it maypresent a visual cue to the seriousness of the risk. For example, greenmay be used to present a low level of risk, yellow may be used topresent a medium level of risk and red may be used to present a highlevel of risk. There may be more or less risk score ranges than thethree described herein.

FIG. 4 illustrates an example arrangement of a graphical user interfacefor presenting risk information related to computing assets of acustomer. In an embodiment, color ring 401 displays a color thatcorresponds to a criticality of a risk score 402. In some embodiments,color ring 401 may be filled with color in proportion to risk score 402.For example, in FIG. 4, risk score of the ten assets is 290 out of 1000,therefore only 29 percent of color ring 401 is filled with a particularcolor. As described above, colors may be predefined to represent certainrisk score ranges. In FIG. 4, green has been predefined to represent arisk score of at least 290. In an embodiment, risk score 402 is alsopresented in the color reflecting its criticality. A combined graphicalrepresentation of color ring 401 and risk score 402 is referred to as a“risk meter.”

In an embodiment, button 403 represents a list of ordered or rankedremediations that may be presented upon user clicking button 403. Insome embodiments, the list of ordered or ranked remediations may bepresented upon hovering over button 403.

Dropdown list 404 may be used to present asset groups described above.In an embodiment, dropdown list 404 may be used to view and switchbetween different asset groups in a fast and efficient manner to make iteasy for customers to manager a large number of asset groups withoutwasting time searching for different assets.

In an embodiment, grid 405 may be used to present asset information.Within grid 405, each asset may be presented in a separate row alongwith certain attributes of the asset indicated in columns of grid 405,such as number of vulnerabilities of the asset, priority value of theasset, the location of asset over the internet, operating system(s) ofthe asset, one or more tags associated with the asset, and a creationdate of the asset or vulnerability. In some embodiments, grid 405 may beinteractive such that a user may apply changes to grid 405 and riskscore 402 reflects the changes. For example, a user may change priorityvalue of a particular asset, causing risk score 402 to be adjustedaccording to the newly given importance to the particular asset.

FIG. 5 depicts an example process for determining a risk score for oneor more computing assets. In an embodiment, the steps indicated in FIG.5 may be performed by vulnerability threat management platform 115 ofFIG. 1, FIG. 2, but other embodiments may implement the same functionsin other contexts using other computing devices.

At block 510, a plurality of vulnerabilities of a computing asset aredetermined. Vulnerabilities of the computing asset may be based onvulnerability data provided by a customer.

In step 520, a risk score for the computing asset is generated based onthe plurality of vulnerabilities. In an embodiment, the risk score forthe computing asset may also be based on certain contextual factors suchas importance of the asset to the customer.

While FIG. 5 depicts a process where a risk score is generated for asingle computing asset, as noted previously, a risk score may begenerated for a set of two or more computing assets. A risk score formore than one computing asset may be based on vulnerabilities of eachcomputing asset in the set of computing assets. For example, assets A1and A2 each have a single vulnerability: V1 for A1 and V2 for A2. A riskscore is generated for the set that includes A1 and A2 based on V1 andV2. Thus, a risk score may be generated for a set of two or morecomputing assets based on a single vulnerability for each computingasset in the set.

In an embodiment, a risk score of a set of computing assets may bedisplayed on a screen of computing device. An input that selects therisk score may be received and in response to receiving the input thatselects the risk score, data that indicates each computing asset in theset of computing assets is displayed on screen. In an embodiment, thedata that indicates each computing asset may include a risk score forthe computing asset, vulnerabilities of the computing asset, and/or listof remediations to resolve the vulnerabilities of the computing asset.In an embodiment, a set of computing assets may be grouped based ongeographical location of the computing assets in the set, the type ofcomputing assets, the subnet of the computing assets, or customer input.

In some embodiments, the risk scores of different computing assets orgroups of computing assets may be displayed concurrently, referred toherein as a dashboard, to the customer. In some embodiments,vulnerability threat management platform 115 presents risk scores ofcomputing assets to a customer in a manner that enables the customer todrill down into a group of computing assets and determine the risk scorefor each computing asset of the group of computing assets. Therefore,the customer is able to view a risk score for the particular computingasset without having to request a risk assessment for the particularcomputing asset, nor would the customer have to search the rest of thedashboard for the particular computing asset.

FIG. 6A-6B are block diagrams that depict an example arrangement of agraphical user interface of a dashboard. In FIG. 6A, a dashboarddisplays various risk meters 610-640, where each risk meter includesrisk information related to a particular computing asset group of acustomer. For example, risk meter 610 corresponds to desktops in acustomer's network while risk meter 630 corresponds to assets involvedin the customer's ecommerce website.

In an embodiment, the dashboard may be presented in a grid form asdepicted in FIGS. 6A-6B. Risk meters may be presented in such a mannersuch that clicking or hovering over a risk meter may display computingassets represented by the risk meter. For example, user selection ofrisk meter 610 may cause the dashboard depicted in FIG. 6B to bedisplayed, including group data 612. Group data 612 indicates a numberof assets in the “Desktops” group, a number of vulnerabilities in thatgroup, a number of vulnerabilities in the group that are considered “TopPriority” (according to some specified criteria), a number of activeInternet breaches associated with vulnerabilities in the group, annumber of “easily” exploitable vulnerabilities in the group, and anumber of popular targets (indicating which vulnerabilities have beenthe target of the most breaches) in the group.

The dashboards represented in FIGS. 6A-6B also include total aggregateinformation, such as the total number of vulnerabilities in a customernetwork (74,005), the total number of “closed vulnerabilities” (9,751)(which are fixed or remediated vulnerabilities, the total number ofassets in the customer network, and a vulnerability density (3,143),which may represent the average number of vulnerabilities per assetgroup or the median number of vulnerabilities across the asset groups.

The dashboards represented in FIGS. 6A-6B may also be fullycustomizable, such as customizing which asset groups are displayed firstor at the top of a view, what information is displayed when a risk meteris selected, and alert information indicating whether an audio alert,visual alert, or message alert (e.g., text, IM) should be sent when arisk score for a risk meter exceeds a certain threshold and/or whenmultiple risk scores exceed a particular threshold.

5.0 Remediation List

In an embodiment, vulnerability threat management platform 115 providesan ordered or ranked list of remediations applicable to the computingasset. In an embodiment, vulnerability threat management platform 115analyzes vulnerability data 109, 110, 111, sent by customers 104 a, 104b, 104 c, respectively, and selects remediations based on mappings ofvulnerabilities and remediations. In some embodiments, a remediation maybe mapped to one or more vulnerabilities. The list of remediations willbe ordered or ranked according to the impact on the overall risk scoreof a computing asset or a group of computing assets.

In an embodiment, the ranking or ordering of list remediations may alsobe based on ease of implementation or application (e.g., in terms oftime and/or work required by the customer) of a remediation, whereremediations that are easier to implement or apply are preferred overremediations that are more difficult to implement or apply. For example,remediation R1 takes about ten minutes to apply and remediation R2 takesabout nine hours to apply. R1 may be ranked higher than R2 even if R1has a slightly higher impact on the risk score than the impact of R2 hason the risk score.

In an embodiment, mappings of vulnerabilities and remediations may bestored in storage unit 112. In an embodiment, vulnerability threatmanagement platform 115 presents the list of remediations concurrentlywith ranked or ordered list of vulnerabilities of a computing asset orgroup of computing assets, or risk score of a computing asset or a groupof computing assets, or both.

FIG. 7 illustrates an example method for determining a set ofremediations for one or more vulnerabilities of a computing asset. In anembodiment, the example method may be performed by vulnerability threatmanagement platform 115 of FIG. 1 or FIG. 2, but other embodiments mayimplement the same functions in other contexts using other computingdevices.

At block 710, a set of remediations associated with a set ofvulnerabilities is identified. In an embodiment, the remediations may beidentified based on the identifiers of each vulnerability in the set ofvulnerabilities. The set of remediations may come from one of customers104 a-104 c, one of sources 101-103, and/or another source, notdepicted.

At block 720, for each remediation in the set of remediations, an amountthat the risk score would be reduced if said each remediation is appliedto a corresponding vulnerability in the set of vulnerabilities isdetermined.

At block 730, the set of remediations is ordered based on the amount therisk score is reduced by each remediation in the set of remediations. Inan embodiment, the set of remediations may also be ordered by ease ofimplementation of each remediation.

In an embodiment, a customer is allowed to select a remediation to beapplied to its corresponding vulnerability. Once applied and thevulnerability is removed, the set of remediations is updated to removethe selected remediation. Afterwards, an updated risk score may begenerated based on the updated set of remediations. Also, blocks 520 and530 may be performed again for the updated set of remediations and basedon the updated risk score.

The embodiments described herein may enable for an assessment of riskassociated with a computing asset and provide an effective and efficientmanner in reducing the risk posed by one or more vulnerabilities of acomputing asset or a group of computing assets.

6.0 Implementation Mechanisms—Hardware Overview

According to one embodiment, the techniques described herein areimplemented by one or more special-purpose computing devices. Thespecial-purpose computing devices may be hard-wired to perform thetechniques, or may include digital electronic devices such as one ormore application-specific integrated circuits (ASICs) or fieldprogrammable gate arrays (FPGAs) that are persistently programmed toperform the techniques, or may include one or more general purposehardware processors programmed to perform the techniques pursuant toprogram instructions in firmware, memory, other storage, or acombination. Such special-purpose computing devices may also combinecustom hard-wired logic, ASICs, or FPGAs with custom programming toaccomplish the techniques. The special-purpose computing devices may bedesktop computer systems, portable computer systems, handheld devices,networking devices or any other device that incorporates hard-wiredand/or program logic to implement the techniques.

For example, FIG. 8 is a block diagram that illustrates a computersystem 800 upon which an embodiment of the invention may be implemented.Computer system 800 includes a bus 802 or other communication mechanismfor communicating information, and a hardware processor 804 coupled withbus 802 for processing information. Hardware processor 804 may be, forexample, a general purpose microprocessor.

Computer system 800 also includes a main memory 806, such as a randomaccess memory (RAM) or other dynamic storage device, coupled to bus 802for storing information and instructions to be executed by processor804. Main memory 806 also may be used for storing temporary variables orother intermediate information during execution of instructions to beexecuted by processor 804. Such instructions, when stored innon-transitory storage media accessible to processor 804, rendercomputer system 800 into a special-purpose machine that is customized toperform the operations specified in the instructions.

Computer system 800 further includes a read only memory (ROM) 808 orother static storage device coupled to bus 802 for storing staticinformation and instructions for processor 804. A storage device 810,such as a magnetic disk, optical disk, or solid-state drive is providedand coupled to bus 802 for storing information and instructions.

Computer system 800 may be coupled via bus 802 to a display 812, such asa cathode ray tube (CRT), for displaying information to a computer user.An input device 814, including alphanumeric and other keys, is coupledto bus 802 for communicating information and command selections toprocessor 804. Another type of user input device is cursor control 816,such as a mouse, a trackball, or cursor direction keys for communicatingdirection information and command selections to processor 804 and forcontrolling cursor movement on display 812. This input device typicallyhas two degrees of freedom in two axes, a first axis (e.g., x) and asecond axis (e.g., y), that allows the device to specify positions in aplane.

Computer system 800 may implement the techniques described herein usingcustomized hard-wired logic, one or more ASICs or FPGAs, firmware and/orprogram logic which in combination with the computer system causes orprograms computer system 800 to be a special-purpose machine. Accordingto one embodiment, the techniques herein are performed by computersystem 800 in response to processor 804 executing one or more sequencesof one or more instructions contained in main memory 806. Suchinstructions may be read into main memory 806 from another storagemedium, such as storage device 810. Execution of the sequences ofinstructions contained in main memory 806 causes processor 804 toperform the process steps described herein. In alternative embodiments,hard-wired circuitry may be used in place of or in combination withsoftware instructions.

The term “storage media” as used herein refers to any non-transitorymedia that store data and/or instructions that cause a machine tooperate in a specific fashion. Such storage media may comprisenon-volatile media and/or volatile media. Non-volatile media includes,for example, optical disks, magnetic disks, or solid-state drives, suchas storage device 810. Volatile media includes dynamic memory, such asmain memory 806. Common forms of storage media include, for example, afloppy disk, a flexible disk, hard disk, solid-state drive, magnetictape, or any other magnetic data storage medium, a CD-ROM, any otheroptical data storage medium, any physical medium with patterns of holes,a RAM, a PROM, and EPROM, a FLASH-EPROM, NVRAM, any other memory chip orcartridge.

Storage media is distinct from but may be used in conjunction withtransmission media. Transmission media participates in transferringinformation between storage media. For example, transmission mediaincludes coaxial cables, copper wire and fiber optics, including thewires that comprise bus 802. Transmission media can also take the formof acoustic or light waves, such as those generated during radio-waveand infra-red data communications.

Various forms of media may be involved in carrying one or more sequencesof one or more instructions to processor 804 for execution. For example,the instructions may initially be carried on a magnetic disk orsolid-state drive of a remote computer. The remote computer can load theinstructions into its dynamic memory and send the instructions over atelephone line using a modem. A modem local to computer system 800 canreceive the data on the telephone line and use an infra-red transmitterto convert the data to an infra-red signal. An infra-red detector canreceive the data carried in the infra-red signal and appropriatecircuitry can place the data on bus 802. Bus 802 carries the data tomain memory 806, from which processor 804 retrieves and executes theinstructions. The instructions received by main memory 806 mayoptionally be stored on storage device 810 either before or afterexecution by processor 804.

Computer system 800 also includes a communication interface 818 coupledto bus 802. Communication interface 818 provides a two-way datacommunication coupling to a network link 820 that is connected to alocal network 822. For example, communication interface 818 may be anintegrated services digital network (ISDN) card, cable modem, satellitemodem, or a modem to provide a data communication connection to acorresponding type of telephone line. As another example, communicationinterface 818 may be a local area network (LAN) card to provide a datacommunication connection to a compatible LAN. Wireless links may also beimplemented. In any such implementation, communication interface 818sends and receives electrical, electromagnetic or optical signals thatcarry digital data streams representing various types of information.

Network link 820 typically provides data communication through one ormore networks to other data devices. For example, network link 820 mayprovide a connection through local network 822 to a host computer 824 orto data equipment operated by an Internet Service Provider (ISP) 826.ISP 826 in turn provides data communication services through the worldwide packet data communication network now commonly referred to as the“Internet” 828. Local network 822 and Internet 828 both use electrical,electromagnetic or optical signals that carry digital data streams. Thesignals through the various networks and the signals on network link 820and through communication interface 818, which carry the digital data toand from computer system 800, are example forms of transmission media.

Computer system 800 can send messages and receive data, includingprogram code, through the network(s), network link 820 and communicationinterface 818. In the Internet example, a server 830 might transmit arequested code for an application program through Internet 828, ISP 826,local network 822 and communication interface 818.

The received code may be executed by processor 804 as it is received,and/or stored in storage device 810, or other non-volatile storage forlater execution.

7.0 Extensions and Alternatives

In the foregoing specification, embodiments of the disclosure have beendescribed with reference to numerous specific details that may vary fromimplementation to implementation. Thus, the sole and exclusive indicatorof what is the disclosure, and is intended by the applicants to be thedisclosure, is the set of claims that issue from this application, inthe specific form in which such claims issue, including any subsequentcorrection. Any definitions expressly set forth herein for termscontained in such claims shall govern the meaning of such terms as usedin the claims. Hence, no limitation, element, property, feature,advantage or attribute that is not expressly recited in a claim shouldlimit the scope of such claim in any way. The specification and drawingsare, accordingly, to be regarded in an illustrative rather than arestrictive sense.

What is claimed is:
 1. A method comprising: receiving, from a firstsource, vulnerability data that indicates a set of vulnerabilities ofcomputing assets in a customer network; receiving, from a second sourcethat is different than the first source, breach data that indicates aset of breaches that occurred outside the customer network; identifying,based on the breach data, a subset of the set of vulnerabilities thatare most vulnerable to a breach; causing result data that identifies thesubset to be displayed on a screen of a computing device; wherein themethod is performed by one or more computing devices.
 2. The method ofclaim 1, wherein the breach data indicates a frequency with which eachbreach in the set of breaches occurred outside the customer network. 3.The method of claim 2, further comprising: based on the frequency ofeach breach associated with the subset of the set of vulnerabilities,assigned a ranking to each vulnerability in the subset; wherein causingthe result data to be displayed comprising causing the result data to bedisplayed based on the ranking of each vulnerability in the subset. 4.The method of claim 1, further comprising: receiving, from a thirdsource that is different than the first and second sources, secondbreach data that indicates a second set of breaches that have occurredoutside the customer network.
 5. The method of claim 1, wherein eachcomputing asset of the computing assets in the customer network is oneof a database, an operating system, an application, a desktop computer,a server, or source code.
 6. The method of claim 1, further comprising:receiving, from a third source that is different than the first sourceand second source, exploit data that indicates a number of exploits foreach vulnerability in the set of vulnerabilities; identifying, based onthe breach data and exploit data, a subset of the set of vulnerabilitiesthat are most vulnerable to a breach.
 7. The method of claim 1, furthercomprising: receiving, from a third source that is different than thefirst source and second source, vulnerability data that indicates ascore for each vulnerability in the set of vulnerabilities; identifying,based on the breach data and vulnerability data, a subset of the set ofvulnerabilities that are most vulnerable to a breach.
 8. One or morecomputer-readable media storing instructions which, when executed by oneor more processors, cause: receiving, from a first source, vulnerabilitydata that indicates a set of vulnerabilities of computing assets in acustomer network; receiving, from a second source that is different thanthe first source, breach data that indicates a set of breaches thatoccurred outside the customer network; identifying, based on the breachdata, a subset of the set of vulnerabilities that are most vulnerable toa breach; causing result data that identifies the subset to be displayedon a screen of a computing device.
 9. The one or more computer-readablemedia of claim 8, wherein the breach data indicates a frequency withwhich each breach in the set of breaches occurred outside the customernetwork.
 10. The one or more computer-readable media of claim 9, whereinthe instructions, when executed by the one or more processors, furthercause: based on the frequency of each breach associated with the subsetof the set of vulnerabilities, assigned a ranking to each vulnerabilityin the subset; wherein causing the result data to be displayedcomprising causing the result data to be displayed based on the rankingof each vulnerability in the subset.
 11. The one or morecomputer-readable media of claim 8, wherein the instructions, whenexecuted by the one or more processors, further cause: receiving, from athird source that is different than the first and second sources, secondbreach data that indicates a second set of breaches that have occurredoutside the customer network.
 12. The one or more computer-readablemedia of claim 8, wherein each computing asset of the computing assetsin the customer network is one of a database, an operating system, anapplication, a desktop computer, a server, or source code.
 13. The oneor more computer-readable media of claim 8, wherein the instructions,when executed by the one or more processors, further cause: receiving,from a third source that is different than the first source and secondsource, exploit data that indicates a number of exploits for eachvulnerability in the set of vulnerabilities; identifying, based on thebreach data and exploit data, a subset of the set of vulnerabilitiesthat are most vulnerable to a breach.
 14. The one or morecomputer-readable media of claim 8, wherein the instructions, whenexecuted by the one or more processors, further cause: receiving, from athird source that is different than the first source and second source,vulnerability data that indicates a score for each vulnerability in theset of vulnerabilities; identifying, based on the breach data andvulnerability data, a subset of the set of vulnerabilities that are mostvulnerable to a breach.
 15. An apparatus comprising: one or moreprocessors: one or more computer-readable media storing instructionswhich, when executed by the one or more processors, cause: receiving,from a first source, vulnerability data that indicates a set ofvulnerabilities of computing assets in a customer network; receiving,from a second source that is different than the first source, breachdata that indicates a set of breaches that occurred outside the customernetwork; identifying, based on the breach data, a subset of the set ofvulnerabilities that are most vulnerable to a breach; causing resultdata that identifies the subset to be displayed on a screen of acomputing device.
 16. The apparatus of claim 15, wherein the breach dataindicates a frequency with which each breach in the set of breachesoccurred outside the customer network.
 17. The apparatus of claim 16,wherein the instructions, when executed by the one or more processors,further cause: based on the frequency of each breach associated with thesubset of the set of vulnerabilities, assigned a ranking to eachvulnerability in the subset; wherein causing the result data to bedisplayed comprising causing the result data to be displayed based onthe ranking of each vulnerability in the subset.
 18. The apparatus ofclaim 15, wherein the instructions, when executed by the one or moreprocessors, further cause: receiving, from a third source that isdifferent than the first and second sources, second breach data thatindicates a second set of breaches that have occurred outside thecustomer network.
 19. The apparatus of claim 15, wherein each computingasset of the computing assets in the customer network is one of adatabase, an operating system, an application, a desktop computer, aserver, or source code.
 20. The apparatus of claim 15, wherein theinstructions, when executed by the one or more processors, furthercause: receiving, from a third source that is different than the firstsource and second source, exploit data that indicates a number ofexploits for each vulnerability in the set of vulnerabilities;identifying, based on the breach data and exploit data, a subset of theset of vulnerabilities that are most vulnerable to a breach.
 21. Theapparatus of claim 15, wherein the instructions, when executed by theone or more processors, further cause: receiving, from a third sourcethat is different than the first source and second source, vulnerabilitydata that indicates a score for each vulnerability in the set ofvulnerabilities; identifying, based on the breach data and vulnerabilitydata, a subset of the set of vulnerabilities that are most vulnerable toa breach.